"AuthorizationFailed" error while creating Azure resources in RHDPS with ARO Open Environment
Environment
- Azure Red Hat OpenShift (ARO)
Issue
-
Creation of Azure resources under
RHDPSwithARO Open Environmentis interrupted withAuthorizationFailederror. -
Sample error message encountered by the user may look like
(AuthorizationFailed) The client 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx' with object id 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/openshift' or the scope is invalid. If access was recently granted, please refresh your credentials.
Resolution
-
Verify the
scopefor the role of user account trying to create theresource groupwith help of Azure documentation on Understanding scope for Azure RBAC -
Assign the role and specify
scopeforSubscriptionsby following the Azure documentation on Assign Azure roles using the Azure portal.
Root Cause
The error is triggered due to restricted permissions on the scope Subscriptions for creating resource groups. The user account attempting to create the resource group needs the appropriate role assigned to access the scope Subscriptions.
Diagnostic Steps
- Refreshing the credentials as stated in the error message can ensure if the role permissions for Subscription need to be assigned. If refreshing the user's credentials does not resolve the issue, adjusting their role permissions as outlined in the resolution should resolve the issue.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments